U.S. patent application number 14/094529 was filed with the patent office on 2015-06-04 for network proxy layer for policy-based application proxies.
The applicant listed for this patent is Chih-Wei Chao, Lee Chen, Feilong Xu. Invention is credited to Chih-Wei Chao, Lee Chen, Feilong Xu.
Application Number | 20150156223 14/094529 |
Document ID | / |
Family ID | 53266295 |
Filed Date | 2015-06-04 |
United States Patent
Application |
20150156223 |
Kind Code |
A1 |
Xu; Feilong ; et
al. |
June 4, 2015 |
NETWORK PROXY LAYER FOR POLICY-BASED APPLICATION PROXIES
Abstract
A system and method for providing a network proxy layer are
disclosed. The network proxy layer may receive a connection
establishment event for a client connection of an application
session and send the client connection event to an application
proxy for the application session, the application proxy being
associated with an application of a server. Upon establishment of
the client connection, the network proxy layer may receive one or
more data packets from the client connection. The network proxy
layer may further receive a connection establishment event for a
server connection of the application session of the server, and
receive one or more data packets from the server connection.
Inventors: |
Xu; Feilong; (San Jose,
CA) ; Chao; Chih-Wei; (Saratoga, CA) ; Chen;
Lee; (Saratoga, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Xu; Feilong
Chao; Chih-Wei
Chen; Lee |
San Jose
Saratoga
Saratoga |
CA
CA
CA |
US
US
US |
|
|
Family ID: |
53266295 |
Appl. No.: |
14/094529 |
Filed: |
December 2, 2013 |
Current U.S.
Class: |
709/227 |
Current CPC
Class: |
H04L 67/141 20130101;
H04L 65/105 20130101; H04L 65/1069 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A method for providing a network proxy layer, comprising:
receiving a connection establishment event for a client connection
of an application session; sending a client connection event to an
application proxy for the application session upon receiving the
connection establishment event for the client connection, the
application proxy associated with an application of a server;
receiving one or more data packets from the client connection;
receiving a connection establishment event for a server connection
of the application session to the server; and receiving one or more
data packets from the server connection.
2. The method of claim 1, wherein the receiving one or more data
packets from the client connection further comprises: sending a
client data to the application proxy, the client data derived from
the one or more data packets from the client connection.
3. The method of claim 1, wherein the receiving one or more data
packets from the client connection further comprises: processing
the one or more data packets from the client connection based on a
security or service policy.
4. The method of claim 1, wherein the receiving one or more data
packets from the client connection further comprises: processing
the one or more data packets from the client connection based on a
protocol format associated to the application proxy.
5. The method of claim 1, wherein the receiving a connection
establishment event for a server connection of the application
session to the server comprises: receiving a request for the server
connection; establishing the server connection with the server upon
receiving the request for the server connection; and receiving the
connection establishment event for the server connection.
6. The method of claim 5, wherein the receiving a request for the
server connection comprises an address of the server.
7. The method of claim 6, wherein the establishing the server
connection with the server upon receiving the request for the
server connection is based on the address of the server.
8. The method of claim 1, wherein the receiving one or more data
packets from the server connection further comprises: sending a
server data to the application proxy wherein the server data is
derived from the one or more data packets from the server
connection.
9. The method of claim 1, wherein the receiving one or more data
packets from the server connection further comprises: processing
the one or more data packets from the server connection based on a
security or service policy.
10. The method of claim 1, wherein the receiving one or more data
packets from the server connection further comprises: processing
the one or more data packets from the server connection based on a
protocol format associated to the application proxy.
11. The method of claim 1, further comprising: receiving client
transmit data from the application proxy; and sending the client
transmit data to the server connection.
12. The method of claim 11, wherein the client transmit data is
sent to the server connection as one or more data packets.
13. The method of claim 1, further comprising: receiving server
transmit data from the application proxy; and sending the server
transmit data to the client connection.
14. The method of claim 13, wherein the server transmit data is
sent to the client connection as one or more data packets.
15. The method of claim 1, wherein the client connection or the
server connection is an TCP connection.
16. The method of claim 1, wherein the application is one of a TCP
application, a secure TCP application, a HTTP application, a secure
HTTP application, a SIP application, or a secure SIP
application.
17. A non-transitory computer-readable storage medium having
instructions stored thereon, the instructions being executable by
one or more processors to perform a method for providing a network
proxy layer, the method comprising: receiving a connection
establishment event for a client connection of an application
session; sending a client connection event to an application proxy
for the application session upon receiving the connection
establishment event for the client connection, the application
proxy associated to an application of a server; receiving one or
more data packets from the client connection; receiving a
connection establishment event for a server connection of the
application session to the server; and receiving one or more data
packets from the server connection.
18. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the client
connection further comprises: sending a client data to the
application proxy, the client data derived from the one or more
data packets from the client connection.
19. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the client
connection further comprises: processing the one or more data
packets from the client connection based on a security or service
policy.
20. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the client
connection further comprises: processing the one or more data
packets from the client connection based on a protocol format
associated to the application proxy.
21. The non-transitory computer-readable storage medium of claim
17, wherein the receiving a connection establishment event for a
server connection of the application session to the server
comprises: receiving a request for the server connection;
establishing the server connection with the server upon receiving
the request for the server connection; and receiving the connection
establishment event for the server connection.
22. The non-transitory computer-readable storage medium of claim
21, wherein the receiving a request for the server connection
comprises an address of the server.
23. The non-transitory computer-readable storage medium of claim
22, wherein the establishing the server connection with the server
upon receiving the request for the server connection is based on
the address of the server.
24. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the server
connection further comprises: sending a server data to the
application proxy wherein the server data is derived from the one
or more data packets from the server connection.
25. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the server
connection further comprises: processing the one or more data
packets from the server connection based on a security or service
policy.
26. The non-transitory computer-readable storage medium of claim
17, wherein the receiving one or more data packets from the server
connection further comprises: processing the one or more data
packets from the server connection based on a protocol format
associated to the application proxy.
27. The non-transitory computer-readable storage medium of claim
17, further comprising: receiving client transmit data from the
application proxy; and sending the client transmit data to the
server connection.
28. The non-transitory computer-readable storage medium of claim
27, wherein the client transmit data is sent to the server
connection as one or more data packets.
29. The non-transitory computer-readable storage medium of claim
17, further comprising: receiving server transmit data from the
application proxy; and sending the server transmit data to the
client connection.
30. The non-transitory computer-readable storage medium of claim
29, wherein the server transmit data is sent to the client
connection as one or more data packets.
31. The non-transitory computer-readable storage medium of claim
17, wherein the client connection or the server connection is an
TCP connection.
32. The non-transitory computer-readable storage medium of claim
17, wherein the application is one of a TCP application, a secure
TCP application, a HTTP application, a secure HTTP application, a
SIP application, or a secure SIP application.
Description
BACKGROUND
[0001] 1. Field of the Invention
[0002] The present invention relates generally to data networks,
and more particularly to policy based data networks.
[0003] 2. Description of the Related Art
[0004] The approaches described in this section could be pursued
but are not necessarily approaches that have previously been
conceived or pursued. Therefore, unless otherwise indicated, it
should not be assumed that any of the approaches described in this
section qualify as prior art merely by virtue of their inclusion in
this section.
[0005] Data networks such as the Internet, enterprise data
networks, mobile broadband networks, cloud networks, have become an
integral part of our lives. We use applications over data networks
to obtain news, gather product information, reserve a table for
dinner, submit a payment, purchase a good, read a book, find a map,
make or receive phone calls, conduct or join a conferencing event,
participate in a meeting, work on a document, approve a promotion,
chat with a friend, watch television and videos, book a plane
ticket, and do many other things in our normal lifestyle or work
style. Corporate computers use applications over data network for
business transactions, factory control, corporate voice and
telephony services, inventory, fleet management and many other
business uses.
[0006] Typically a client computer requests a service from a
network application being served by a server computer. The
communication session between the client computer and the server
computer passes through a data network. Often, for security reasons
and for load balancing purposes, network applications of certain
types of communication sessions are inspected by the data network,
for example, using a server load balancer (SLB), an application
delivery controller (ADC), a firewall, a hypervisor application
server or a media gateway. These communication sessions may include
HTTP sessions, TCP sessions, and SIP sessions. In one example, a
HTTP application desires to be inspected in the data network. An
application proxy for the HTTP application will be deployed in a
network device in the data network where the network device
intercepts a communication session of the HTTP application between
a client and a server serving the HTTP application. The HTTP
application proxy receives data packets from the client, examines
the client data, performs a TCP/IP layer security control, performs
a HTTP protocol layer security control, performs additional
security and service processing specific to the HTTP application,
and finally sends the client data, perhaps modified based on the
above mentioned processing, to the server. On the reverse path, the
HTTP application proxy receives data from the server and applies
similar processing before sending the server data, modified when
necessary, to the client. The HTTP application proxy needs to
handle any data buffer management, and any necessary security
handling associated with the HTTP application and the underlying
protocol layers.
[0007] In another example, a network device performs a SIP
application proxy for a Voice Over IP (VoIP) and media application,
where the network device provides security and traffic policy
services to enhance the VoIP and media application.
[0008] Typically, each network application proxy behaves similarly
in deployment. When the number of network application proxies
deployed in a network device increases, there may be redundant
effort in the handling of application proxies. Also, the handling
of proxies among the different application proxies may be
inconsistent, leading sometimes to undesirable behavior of the
network device.
[0009] Thus, there is a need to provide a common network proxy
layer to offer a consistent and efficient mechanism for network
application proxies.
SUMMARY
[0010] This summary is provided to introduce a selection of
concepts in a simplified form that are further described in the
Detailed Description below. This summary is not intended to
identify key features or essential features of the claimed subject
matter, nor is it intended to be used as an aid in determining the
scope of the claimed subject matter.
[0011] The present disclosure is related to approaches for
providing a network proxy layer for policy-based application
proxies. In embodiments of the invention, a common network proxy
layer may be provided so that one or more network application
proxies on that layer process data efficiently, and in the same
manner.
[0012] In an exemplary method for providing a network proxy layer,
the method may comprise receiving a connection establishment event
for a client connection of an application session, and sending a
client connection event to an application proxy for the application
session, the application proxy associated to an application of a
server. The method may further comprise receiving one or more data
packets from the client connection, receiving a connection
establishment event for a server connection of the application
session to the server; and receiving one or more data packets from
the server connection.
[0013] In further example embodiments of the present disclosure,
the method steps are stored on a computer-readable medium
comprising instructions, which when implemented by one or more
processors perform the recited steps. In yet further example
embodiments, hardware systems, or devices can be adapted to perform
the recited steps. Other features, examples, and embodiments are
described below.
BRIEF DESCRIPTION OF THE DRAWINGS
[0014] Embodiments are illustrated by way of example and not
limitation in the figures of the accompanying drawings, in which
like references indicate similar elements and in which:
[0015] FIG. 1 illustrates an exemplary embodiment of a service
gateway having a plurality of application proxies using a network
proxy layer.
[0016] FIG. 2 illustrates components of an exemplary service
gateway.
[0017] FIG. 3 illustrates an exemplary embodiment of a proxy state
machine.
[0018] FIG. 4 illustrates an application proxy processing data
packets exchanged over an application session in an exemplary
embodiment.
[0019] FIG. 5 illustrates an exemplary HTTP application proxy using
a network proxy layer.
[0020] FIG. 6 illustrates an exemplary TCP proxy using a network
proxy layer.
[0021] FIG. 7 illustrates a plurality of application proxies over
an application session in an exemplary embodiment.
[0022] FIG. 8 illustrates a diagrammatic representation of a
computing device for a machine in the example electronic form of a
computer system, within which a set of instructions for causing the
machine to perform any one or more of the methodologies discussed
herein can be executed.
DETAILED DESCRIPTION
[0023] The following detailed description includes references to
the accompanying drawings, which form a part of the detailed
description. The drawings show illustrations in accordance with
example embodiments. These example embodiments, which are also
referred to herein as "examples," are described in enough detail to
enable those skilled in the art to practice the present subject
matter. The embodiments can be combined, other embodiments can be
utilized, or structural, logical, and electrical changes can be
made without departing from the scope of what is claimed. The
following detailed description is therefore not to be taken in a
limiting sense, and the scope is defined by the appended claims and
their equivalents. In this document, the terms "a" and "an" are
used, as is common in patent documents, to include one or more than
one. In this document, the term "or" is used to refer to a
nonexclusive "or," such that "A or B" includes "A but not B," "B
but not A," and "A and B," unless otherwise indicated.
[0024] Referring now to the drawings, FIG. 1 illustrates a service
gateway 300 servicing a plurality of application proxies 701, 702
using network proxy layer 620.
[0025] In an example embodiment, service gateway 300 connects to
client device 100 over a data network 501. Data network 501 may
comprise an Internet Protocol (IP) network, a corporate data
network, a regional corporate data network, an Internet service
provider network, a residential data network, a wired network such
as Ethernet, a wireless network such as a WiFi network, or a
cellular network. Data network 501 may reside in a data center, or
connect to any other network or a cloud-based network.
[0026] In an example embodiment, service gateway 300 connects to
server 200 over a data network 503. Data network 503 may comprise
an Internet Protocol (IP) network, a corporate data network, a
regional corporate data network, an Internet service provider
network, a residential data network, a wired network such as
Ethernet, a wireless network such as a WiFi network, or a cellular
network. Data network 503 may reside in a data center, or connect
to any other network or application network cloud. Data network 503
may also be the same as data network 501 in some embodiments.
[0027] Client device 100 is typically a computing device with
network access capabilities. In example embodiments, client device
100 may be a workstation, a desktop personal computer, a laptop
personal computer, a Personal Data Assistant (PDA), a tablet
computing device, a smartphone, a cellular phone, a set-top box, an
Internet media viewer, an Internet media player, a smart sensor, a
smart medical device, a net-top box, a networked television set, a
networked DVR, a networked Blu-ray player, a networked handheld
gaming device, a media center, a mobile device, or a networked
personal computing device.
[0028] In other embodiments, client device 100 may also be a
residential broadband gateway, a business Internet gateway, a
business computing server, a network customer premise device (CPE),
or an Internet access gateway.
[0029] In exemplary embodiments, client device 100 may include a
broadband remote access server (BRAS), a Digital Subscriber Line
Access Multiplexer (DSLAM), a Cable Modem Terminating System
(CMTS), or a service provider access gateway. Client device 100 may
also include a mobile broadband access gateway such as a Gateway
GPRS Support Node (GGSN), a Home Agent (HA), or a PDN Gateway
(PGW).
[0030] In various embodiments, client device 100 may include a
server load balancer, an application delivery controller, a traffic
manager, a firewall, a VPN server, a remote access server, or an
enterprise or datacenter access gateway. In one embodiment, client
device 100 may be a device similar to service gateway 300.
[0031] In an exemplary method, client device 100 initiates
application session 400 towards server 200 via service gateway
300.
[0032] Server 200 is a computing device typically coupled to a
processor and a computer readable medium which stores computer
readable program code. Server 200, with the processor and the
computer readable program code, may implement the functionality of
a Web server, a file server, a video server, a database server, an
application server, a voice system, a conferencing server, a media
gateway, a media center, an app server or a network server
providing an application service to client device 100 using the
application session 400. In one embodiment, server 200 may be a
device similar to service gateway 300.
[0033] Service gateway 300, illustrated in FIG. 2, may be
operationally coupled to a processor module 310, a memory module
320, a network interface module 330, and a computer readable medium
340. The computer readable medium 340 stores computer readable
program code, which when executed by the processor module 310 using
the memory module 320, may implement the various embodiments of the
present invention as described herein. In some embodiments, service
gateway 300 may be implemented as a server load balancer, an
application delivery controller, a service delivery platform, a
traffic manager, a security gateway, a component of a firewall
system, a component of a virtual private network (VPN), a network
proxy gateway, a network application server, a load balancer for
video servers, a gateway to distribute load to one or more servers,
a Web or HTTP server, a network address translation (NAT) gateway,
or a TCP server.
[0034] Returning to FIG. 1, service gateway 300 may implement the
functionality of TCP/IP layer 610, network proxy layer 620, and at
least one application proxy, which may include application proxy
701 and/or application proxy 702. In one embodiment, network proxy
layer 620 is implemented in network interface module 330 and
network interface module 330 may include a network processor or an
ASIC/FPGA circuitry capable of processing network proxy layer 620.
In one embodiment, network proxy layer 620 is implemented in
processor module 310.
[0035] Application session 400 may be a TCP session conducted via
service gateway 300. In an exemplary embodiment, application proxy
701 processes application session 400. Service gateway 300 receives
data packets of application session 400. TCP/IP layer 610 receives
and processes the received application session 400 data packets and
passes the processed data packets to network proxy layer 620.
Network proxy layer 620 provides additional processing to the data
packets and sends the processed data packets to application proxy
701. Upon processing the received application session 400 data
packets, application proxy 701 may send responses based on the
received application session 400 data packet to network proxy layer
620, which in turns processes the responses and sends to the TCP/IP
layer 610, which further processes the received responses from
network proxy layer 620 and transmits the results to client device
100 via data network 501 or server 200 via data network 503.
[0036] Application proxy 701 may relate to an application of server
200 serving application session 400.
[0037] FIG. 3 illustrates an exemplary embodiment of network proxy
layer 620. In one embodiment, network proxy layer 620 may include a
state machine with three states--client connected state 621, server
connecting state 623 and server connected state 625. In an example
embodiment, network proxy layer 620 receives a client establishment
event 612 from TCP/IP layer 610. Client establishment event 612 may
be received when TCP/IP layer 610 exchanges or successfully
establishes a TCP session connection with client device 100. Upon
receiving client establishment event 612, network proxy layer 620
sets to client connected state 621.
[0038] In various embodiments, network proxy layer 620 may indicate
the client establishment event 612 to application proxy 701.
Network proxy layer 620 may send a client connection event 629 to
application proxy 701 to indicate receipt of client establishment
event 612. Client connection event 629 may include information
about client device 100. Client connection event 629 may also
include the TCP session connection with client device 100.
[0039] In one embodiment, network proxy layer 620 may include a
client transmit buffer 622. Client transmit buffer 622 may store
client data sent by application proxy 701 towards server 200.
Client transmit buffer 622 will be further described below. In an
example embodiment, network proxy layer 620 may determine that
client transmit buffer 622 is not empty and has data to be
transmitted to server 200 while network proxy layer 620 is in
client connected state 621. Network proxy layer 620 may then change
to server connecting state 623. Network proxy layer 620 may
establish a TCP session with server 200. In one embodiment, network
proxy layer 620 instructs TCP/IP layer 610 to establish a TCP
session with server 200. In one embodiment, application proxy 701
informs network proxy layer 620 the address of server 200 for the
TCP session. In one embodiment, the client transmit buffer 622
includes the server 200 address information.
[0040] Once TCP/IP layer 610 successfully establishes a TCP session
with server 200, TCP/IP layer 610 may send a server establishment
event 615 to network proxy layer 620. Upon receiving the server
establishment event 615, network proxy layer 620 may change to
server connected state 625. At the server connected state 625,
service gateway 300 has a TCP session with client device 100 and a
TCP session with server 200. Client device 100 and server 200 can
exchange data packets for the application session 400 via service
gateway 300.
[0041] FIG. 4 illustrates an example embodiment of data packets
exchanged between client device 100 and server 200 where
application proxy 701 processes the exchanged data packets.
[0042] In an example embodiment, network proxy layer 620 receives a
client data packet 617 from client device 100 via TCP/IP layer 610.
Network proxy layer 620 processes client data packet 617, generates
client received data 627 using client data packet 617, and sends
client received data 627 to application proxy 701. Network proxy
layer 620 may also send client received data 627 to application
proxy 701 after processing and combining one or more client data
packets from client device 100. Furthermore, network proxy layer
620 may also perform one or more security checks or other policy
based services on client data packet 617 prior to sending to
application proxy 701. Network proxy layer 620 may also include a
client connection event in client received data 627.
[0043] In one embodiment, application proxy 701 puts data into
client transmit buffer 622. Application proxy 701 may also put data
derived from client received data 627 into client transmit buffer
622. In one embodiment, application proxy 701 performs a proxy
function on behalf of a corresponding application on server 200
serving application session 400. In various embodiments,
application proxy 701 may also include information about server
200. In an example embodiment, application proxy 701 selects server
200 based on client received data 627. Application proxy 701 may
include information about server 200 as a request to establish a
session with server 200. Network proxy layer 620 may detect
presence of data in client transmit buffer 622, and send the data
in client transmit buffer 622 to server 200, via TCP/IP layer 610
onto the established server TCP session with server 200. The data
in client transmit buffer 622 may include information about server
200. Network proxy layer 620 may use the server information to
establish the server TCP session with server 200. Network proxy
layer 620 may also establish the server TCP session with server 200
if the server TCP session is not present. In one embodiment,
network proxy layer 620 establishes the server TCP session with
server 200 if the information about server 200 differs from the
existing server TCP session.
[0044] In an example embodiment, network proxy layer 620 receives a
server data packet 618 from server 200 via TCP/IP layer 610. In one
embodiment, network proxy layer 620 generates server received data
628 from server data packet 618 and sends server received data 628
to application proxy 701. Network proxy layer 620 may perform
additional processing such as security or modification of server
data packet 618 prior to generating server received data 628.
[0045] In exemplary embodiments, application proxy 701 may put data
into server transmit buffer 624. Application proxy 701 may put data
derived from server received data 628 into server transmit buffer
624. In one embodiment, application proxy 701 performs a proxy
function on behalf of a service application on server 200 serving
application session 400.
[0046] Network proxy layer 620 may also detect presence of data in
server transmit buffer 624, and send the data in server transmit
buffer 624 to client device 100, via TCP/IP layer 610 on the
established client TCP session with client device 100.
[0047] FIG. 5 illustrates an example embodiment of a HTTP
application proxy 721. In exemplary embodiments, HTTP application
proxy 721 may include a client request state 722 and a server
response state 724. HTTP application proxy 721 may receive client
received data 627 from network proxy layer 620. HTTP application
proxy 721 determines client received data 627 is from client device
100. HTTP application proxy 721 may then set to client request
state 722. HTTP application proxy 721 examines client received data
627 and determines client received data 627 includes a HTTP request
726.
[0048] In some embodiments, client request state 722 may include a
HTTP request protocol parser 725 which determines if client
received data 627 satisfies the HTTP request protocol. In an
example embodiment, HTTP request protocol parser 725 determines
that client received data 627 satisfies the protocol. HTTP request
protocol parser 725 may generate a record showing the components of
the HTTP request 726. HTTP application proxy 721 may then process
HTTP request 726. In some embodiments, HTTP request protocol parser
may be included in network proxy layer 620 and network proxy layer
620 processes client received data 627 against HTTP request
protocol parser 725 to generate the record for the HTTP request
726. In some embodiments, client received data 627 may include the
record for the HTTP request 726.
[0049] In an example embodiment, HTTP application proxy 721 may
select server 200 based on HTTP request 726. HTTP application proxy
721 may also select server 200 based on a server selection policy
(not shown). In exemplary embodiments, HTTP application proxy 721
may modify HTTP request 726 and put HTTP request 726 or the
modified HTTP request into client transmit buffer 622. HTTP
application proxy 721 may also inform network proxy layer 620 to
establish a session with server 200 for HTTP request 726. As
illustrated elsewhere, network proxy layer 620 may establish a TCP
session with server 200 and transmit data in client transmit buffer
622 to server 200.
[0050] In exemplary embodiments, HTTP application proxy 721 may
examine HTTP request 726 based on one or more security policies,
such as detection of denial of service, or any other appropriate
security policy application to HTTP protocol or the HTTP
application associated to HTTP application proxy 721.
[0051] In an example embodiment, HTTP application proxy 721 changes
state from client request state 722 to server response state 724.
During server response state 724, HTTP application proxy 721 may
receive server received data 628 from network proxy layer 620.
Server response state 724 may continue to receive server received
data 628. In server response state 724, HTTP application proxy 721
may inspect server received data 628 against HTTP response format.
In server response state 724, it may generate a record showing the
components of HTTP response 728. HTTP application proxy 721 may
process HTTP response 728 or modify HTTP response 728. In some
embodiments HTTP application proxy 721 mat process HTTP response
728 using a service policy. HTTP application proxy 721 may then
place processed HTTP response onto server transmit buffer 624 for
network proxy layer 620 to send to client device 100.
[0052] In embodiments, HTTP application proxy 721 may process HTTP
response 728 based on one or more security policies such as
detecting a phishing response, a virus or any other appropriate
security policies application to HTTP response or the HTTP
application associated to HTTP application proxy 721.
[0053] HTTP application proxy 721 may also perform load balancing
for HTTP request 726, among a plurality of servers which includes
server 200. In an exemplary embodiment, HTTP application proxy 721
performs a HTTP firewall function. In another exemplary embodiment,
HTTP application proxy 721 performs an access control based on
geographic information about client device 100. HTTP application
proxy 721 may also perform content caching for server 200.
[0054] FIG. 6 illustrates an exemplary embodiment of a TCP
application proxy 730. In exemplary embodiments, TCP application
proxy 730 receives client received data 627 from network proxy
layer 620. TCP application proxy 730 may place client received data
627 into client transmit buffer 622. If TCP application proxy 730
determines client received data 627 indicates a new TCP proxy
session from client device 100, TCP application proxy 730 may
inform network proxy layer 620 to establish a server session with
server 200. TCP application proxy 730 may obtain server 200
information based on client received data 627.
[0055] In exemplary embodiments, TCP application proxy 730 receives
server received data 628 from network proxy layer 620. TCP
application proxy 730 may place server received data 628 into
server transmit buffer 624.
[0056] In some embodiments, TCP application proxy 730 may process
and perhaps modify client received data 627 or server received data
628 prior to placing the data into either client transmit buffer
622 or server transmit buffer 624. In one embodiment, TCP
application proxy 730 processes client received data 627 or server
received data 628 based on a security policy such as detection of a
Denial of Service event (DOS), or other TCP security processing; or
based on a service policy such as bandwidth policy, traffic
management policy or other configured service policies. In one
embodiment, TCP application proxy 730 applies additional session
protocol processing such as encryption, decryption, compression, or
TCP profiling.
[0057] FIG. 7 illustrates an exemplary embodiment of a second
application proxy 742 being applied after a first application proxy
741. In one embodiment, application session 400 is processed by two
application proxies 741 and 742. In the client to server traffic
direction, application proxy 741 may be applied before application
proxy 742. In the server to client traffic direction, application
proxy 741 may also be applied after application proxy 742.
Alternatively, in some embodiments, application proxy 742 may be
applied prior to application proxy 741 in the client to server
traffic direction, and/or in the server to client traffic
direction.
[0058] In an exemplary embodiment, application proxy 741 receives
client received data 627, processes client received data 627, and
generates client data 637 using client received data 627. In one
embodiment, application proxy 741 places data 637 into client
transmit buffer 622 and network proxy layer 620 sends client data
637 as modified client received data 727 for application proxy 742.
In one embodiment, application proxy 741 sends data 637 as modified
client received data 727 to application proxy 742. Application
proxy 742 may process modified client received data 727 and place
processed modified client received data 727 into client transmit
buffer 622 such that network proxy layer 620 can send data from
client transmit buffer 622 to server 200.
[0059] In exemplary embodiments, application proxy 742 may receive
server received data 628, process server received data 628, and
generates server data 638 using server received data 628. In one
embodiment, application proxy 742 places server data 638 into
server transmit buffer 624 and network proxy layer 620 places
server data 638 from server transmit buffer 624 as modified server
received data 728 for application proxy 741. In one embodiment,
application proxy 742 sends server data 638 as modified server
received data 728 to application proxy 741. Application proxy 741
processes modified server received data 728 and places processed
modified server received data into server transmit buffer 624 such
that network proxy layer 620 can send data from server transmit
buffer 624 to client device 100.
[0060] FIG. 8 shows a diagrammatic representation of a machine in
the example electronic form of a computer system 800, within which
a set of instructions for causing the machine to perform any one or
more of the methodologies discussed herein may be executed. In
various example embodiments, the machine operates as a standalone
device or may be connected (e.g., networked) to other machines. In
a networked deployment, the machine may operate in the capacity of
a server or a client machine in a server-client network
environment, or as a peer machine in a peer-to-peer (or
distributed) network environment. The machine may be a PC, a tablet
PC, a set-top box (STB), a cellular telephone, a portable music
player (e.g., a portable hard drive audio device such as an Moving
Picture Experts Group Audio Layer 3 (MP3) player), a web appliance,
a network router, switch or bridge, or any machine capable of
executing a set of instructions (sequential or otherwise) that
specify actions to be taken by that machine. Further, while only a
single machine is illustrated, the term "machine" shall also be
taken to include any collection of machines that individually or
jointly execute a set (or multiple sets) of instructions to perform
any one or more of the methodologies discussed herein.
[0061] The example computer system 800 includes a processor or
multiple processors 802 (e.g., a central processing unit (CPU), a
graphics processing unit (GPU), or both), a main memory 804 and a
static memory 806, which communicate with each other via a bus 808.
The computer system 800 may further include a video display unit
810 (e.g., a liquid crystal display (LCD) or a cathode ray tube
(CRT)). The computer system 800 may also include an alphanumeric
input device 812 (e.g., a keyboard), a cursor control device 814
(e.g., a mouse), a disk drive unit 816, a signal generation device
818 (e.g., a speaker), and a network interface device 820.
[0062] The disk drive unit 816 includes a non-transitory
computer-readable medium 822, on which is stored one or more sets
of instructions and data structures (e.g., instructions 824)
embodying or utilized by any one or more of the methodologies or
functions described herein. The instructions 824 may also reside,
completely or at least partially, within the main memory 804 and/or
within the processors 802 during execution thereof by the computer
system 800. The main memory 804 and the processors 802 may also
constitute machine-readable media.
[0063] The instructions 824 may further be transmitted or received
over a network 826 via the network interface device 820 utilizing
any one of a number of well-known transfer protocols (e.g., Hyper
Text Transfer Protocol (HTTP)).
[0064] While the computer-readable medium 822 is shown in an
example embodiment to be a single medium, the term
"computer-readable medium" should be taken to include a single
medium or multiple media (e.g., a centralized or distributed
database and/or associated caches and servers) that store the one
or more sets of instructions. The term "computer-readable medium"
shall also be taken to include any medium that is capable of
storing, encoding, or carrying a set of instructions for execution
by the machine and that causes the machine to perform any one or
more of the methodologies of the present application, or that is
capable of storing, encoding, or carrying data structures utilized
by or associated with such a set of instructions. The term
"computer-readable medium" shall accordingly be taken to include,
but not be limited to, solid-state memories, optical and magnetic
media, and carrier wave signals. Such media may also include,
without limitation, hard disks, floppy disks, flash memory cards,
digital video disks, random access memory (RAMs), read only memory
(ROMs), and the like.
[0065] The example embodiments described herein can be implemented
in an operating environment comprising computer-executable
instructions (e.g., software) installed on a computer, in hardware,
or in a combination of software and hardware. The
computer-executable instructions can be written in a computer
programming language or can be embodied in firmware logic. If
written in a programming language conforming to a recognized
standard, such instructions can be executed on a variety of
hardware platforms and for interfaces to a variety of operating
systems. Although not limited thereto, computer software programs
for implementing the present method can be written in any number of
suitable programming languages such as, for example, Hypertext
Markup Language (HTML), Dynamic HTML, Extensible Markup Language
(XML), Extensible Stylesheet Language (XSL), Document Style
Semantics and Specification Language (DSSSL), Cascading Style
Sheets (CSS), Synchronized Multimedia Integration Language (SMIL),
Wireless Markup Language (WML), Java.TM., Jini.TM., C, C++, Perl,
UNIX Shell, Visual Basic or Visual Basic Script, Virtual Reality
Markup Language (VRML), ColdFusion.TM. or other compilers,
assemblers, interpreters or other computer languages or
platforms.
[0066] Thus, methods and systems for providing a network proxy
layer are disclosed. Although embodiments have been described with
reference to specific example embodiments, it will be evident that
various modifications and changes can be made to these example
embodiments without departing from the broader spirit and scope of
the present application. Accordingly, the specification and
drawings are to be regarded in an illustrative rather than a
restrictive sense.
* * * * *